Any patch in a storm? The debate rages anew

As network professionals scramble to repel a series of exploits that target a hole in the Windows Metafile image-rendering engine - a vulnerability some say Microsoft was tardy addressing - disagreement is flaring again over the wisdom of applying unauthorized patches as a stopgap in such situations.

"In this case, Microsoft is taking too long," says Johannes Ullrich, chief research officer at the SANS Institute, which last week took the unusual step of issuing an emergency patch for WMF made by a Russian researcher, before Microsoft bowed to public pressure and released its own five days ahead of when it originally had promised. The SANS patch, which Ullrich says has been thoroughly tested, had been downloaded more than 80,000 times before Microsoft offered its version. Security vendor Eset also issued a patch.

What do you think? Discuss the Microsoft WMF exploit and patching in general in our forum.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As network professionals scramble to repel a series of exploits that target a hole in the Windows Metafile image-rendering engine - a vulnerability some say Microsoft was tardy addressing - disagreement is flaring again over the wisdom of applying unauthorized patches as a stopgap in such situations.

"In this case, Microsoft is taking too long," says Johannes Ullrich, chief research officer at the SANS Institute, which last week took the unusual step of issuing an emergency patch for WMF made by a Russian researcher, before Microsoft bowed to public pressure and released its own five days ahead of when it originally had promised. The SANS patch, which Ullrich says has been thoroughly tested, had been downloaded more than 80,000 times before Microsoft offered its version. Security vendor Eset also issued a patch.

What do you think? Discuss the Microsoft WMF exploit and patching in general in our forum.

Microsoft, which had urged customers to avoid third-party patch remedies, learned of the exploit Dec. 27 and originally said the earliest it could provide a patch would be this Tuesday, as part of the company's monthly security release - a timetable that drew questions and criticism.

"On a zero-day exploit, it is kind of tough to move fast enough," says Joe Wilcox, an analyst at Jupiter Research.

IBM acknowledged that Lotus Notes Versions 6 and higher also have the WMF flaw and advised its customers to wait for the Microsoft patch.

The WMF hole left Windows desktop users vulnerable to dozens of attacks carried out via malicious code embedded in Web sites and e-mail. Some WMF-related assaults blasted victims with the announcement "Congratulations, you've been infected!" and wholly ripped their machines out of their control, while others quietly seeded computers with spyware and adware.

The episode also added fuel to a long-running debate about third-party patches.

Ullrich says the SANS emergency patch was especially needed in this case because anti-virus software updates to combat the wide variety of WMF exploits were not keeping pace in terms of signature updates. Last week SANS was assisting corporations and government agencies in applying the emergency patch.

However, other experts express general misgivings about applying unauthorized patches.

"Accepting patches from anyone other than a vendor is a bad idea," says John Pescatore, a Gartner analyst. "We have seen what happens when people believe they can get patches via e-mail or Web sites other than the vendor's: phishing attacks spoof them and all hell breaks loose. The next volunteer patch is likely to be a rootkit." He says using workarounds, such as restricting use of WMF and the Web for a limited time would be a "much better, safer way to go" than the risk of an unofficial patch.

Although 10 days to get a patch out may seem long to customers, it's actually "very, very good," Pescatore says. A business-quality patch typically takes at least 30 days, and 90 days is not out of the question, he says. Using a volunteer patch in the meantime only means you have to uninstall it when the vendor does produce one, he adds.